000
Universal groups
Active Directory groups that are used to assign permissions to related resources in multiple domains Membership is stored only in the global catalog and is replicated across the forest
Active Directory Administrative Center (ADAC) Active Directory Users and Computers console
After creating a single user, you can use
In the Tasks pane, under the container name, click New > User
CREATE A USER WITH ACTIVE DIRECTORY ADMINISTRATIVE CENTER
In the Active Directory Users and Computers console, in the left pane, find the domain in which you want to create the user object and select a container in that domain Click Action > New > User. The New Object - User Wizard start
CREATE A USER WITH ACTIVE DIRECTORY USERS AND COMPUTERS
two domain controllers
Every Active Directory domain should have a minimum of
remote domain controller
If the new domain controller is in a site that does not have a domain controller, replication will occur from
automatically
If the new domain controller is located in the same site as another, AD DS replication between the two begin
Windows Server 2016
In ___ you can now install Active Directory Domain Services on a computer running the Server Core installation option and promote the system to a domain controller, all by using Windows PowerShell
•Creating a computer account: You create a computer account by creating a new com-puter object in Active Directory and assigning the name of an actual computer on the network. •Joining the computer to the domain: After you join a computer to the domain, the system contacts a domain controller, establishes a trust relationship with the domain, locates (or creates) a computer object corresponding to the computer's name, alters its security identifier (SID) to match the computer object, and modifies its group memberships.
In addition to creating user accounts in the domain, you need to make sure that the network computers are part of the domain. Adding a computer to an AD DS domain consists of
Windows PowerShell
It also is possible to use CSV files to create user objects with
LDAP Data Interchange Format Directory Exchange (LDIFDE.exe)
Like CSVDE, this utility imports AD DS information and uses it to add, delete, or modify objects, in addition to modifying the schema, if necessary.
computer accounts
Much like user accounts, ___ are assigned passwords when the computer is added to the domain and is automatically maintained between the computer and the domain controllers
global catalogs
One of the primary functions of a ___ is to provide search capability of any object in the forest
Active Directory Users and Computers Advanced Features view
Protect object from accidental deletion option selected; this can only be seen
Windows Server 2012
Starting with ___, you can safely virtualize a domain controller and rapidly deploy virtual domain controllers through cloning. It allows you to quickly restore domain controllers when a failure occurs and to rapidly provision a test environment when you need to deploy and test new features or capabilities before you apply the features or capabilities to production
Domain Naming Master(one per forest)
The Domain Naming Master holds the Domain Naming Master role that controls the addition or removal of domains in the forest Although the loss of the Domain Naming Master does not affect users, you are not able to add or remove domains from the forests
Infrastructure Master (one per domain)
The Infrastructure Master is used to track which objects belong to which domain because it is responsible for reference updates from its domain objects to other domains. When you rename or move a member of a group (and the members that reside in different domains from the group), the Infrastructure Master is respon-sible for updating the group so it knows the new name or location of the member. Typically, the loss of the Infrastructure Master is not visible to users. However, it might be seen if you recently moved or renamed a large number of accounts
Infrastructure Master(one per domain)
The Infrastructure Master is used to track which objects belong to which domain because it is responsible for reference updates from its domain objects to other domains. When you rename or move a member of a group (and the members that reside in different domains from the group), the Infrastructure Master is respon-sible for updating the group so it knows the new name or location of the member. Typically, the loss of the Infrastructure Master is not visible to users. However, it might be seen if you recently moved or renamed a large number of accounts
open the View menu and select Advanced Features
The LostAndFound, NTDS Quotas, Program Data, and System containers are hidden in Active Directory Users and Computers. To view these container
Primary Domain Controller (PDC) Emulator (one per domain)
The PDC Emulator was originally created to provide backward compatibility with Windows NT 4.0 domains. It also coordinates password changes, account lockouts, and time synchronization; man-ages edits to Group Policy Objects (GPOs); and acts as a domain master browser (provides a list of workgroups and domains when you browse). When a password is changed, the domain controller that initiates a password change sends the change to the PDC Emulator, which in turn updates the global catalog server and provides immediate replication to other domain controllers in the domain Because the PDC Emulator is the most heavily used role and because of the tasks that it does, it can affect users when it is down. For example, if a password is changed, it might not be immediately rep-licated, which can cause problems when a user tries to access resources. If the system clocks drift too much, users might not be able to log on as Kerberos fails. In addition, account lockout might not work and you might not be able to raise the functional level of a domain
Schema Master (one per forest)
The Schema Master controls all the updates and modifications to the schema. To update the schema of a forest, you must have access to the Schema Master Although the loss of the Schema Master does not affect the users, you cannot modify the schema or install any applications, such as Microsoft Exchange, that would modify the schema. You are also not able to raise the functional level of the forest
global catalog SRV records (_gc)
The global catalogs are identified by
size of your network and its site configuration
The importance of the global catalog varies depending on
Comma-Separated Value Directory Exchange (CSVDE.exe)
This command-line utility creates new AD DS objects by importing information from a comma-separated value (.csv) file.
Windows PowerShell
This currently approved Windows maintenance tool creates object creation scripts of nearly unlimited complexity
Dsadd.exe
This standard command-line tool creates AD DS leaf objects, which you can use with batch files to create AD DS objects in bulk
.cmd or .bat extension
To create multiple objects (including users, groups, or any other object type) by using a batch file, open Notepad and use the Dsadd.exe syntax described previously, by placing a single command on each line. After you enter the commands you need, save the file and name it by using a
pointing to a DNS server for the domain that you just installed. In addition, it is best that the server is joined to the domain
To install a second domain controller, the server should be
Remove Roles and Features Wizard
To remove a domain controller from an AD DS installation, you must begin by running
Windows Server 2008 or later
To upgrade from FRS to DFSR, the domain functional level must be
•You deploy a computer from an image of another computer and you do not use the sys-prep tool to reset the SID. •The computer account is corrupted. •The computer is not connected to the domain network for long periods of time
Unfortunately, from time to time, a computer account can become untrusted when the security identifier (SID) or password is different from those stored in Active Directory. This is done when
Relative Identifier (RID) Master (one per domain)
When a domain controller creates a user, group, or computer object, the RID Master assigns the object a unique security ID (SID). The SID consists of a domain security ID that identifies the domain to which the object belongs and a relative ID that iden-tifies the object within the domain. The RID Master is responsible for assigning relative identifiers to domain controllers in the domain. The RID Master assigns a block of 500 identifiers to each domain controller. When 50% of the supply of RIDs is used, it contacts the RID to request a new supply. Although the loss of the RID Master is not seen by users, it can be seen when administrators are creating objects and the domain runs out of relative IDs to assign. In addition, you will not be able to move objects between domains
-domain user name(domain_name\username) -User Principal Name([email protected])
When a user logs onto a domain, a user can log on using one of two methods
3268
When a user or an application performs a search in Active Directory, a search request is sent to the global catalog over TCP port ___ which is used by Active Directory to direct these requests to a global catalog server
safe cloning, in which a cloned domain controller automatically runs a subset of the sysprep process and promotes the server to a domain controller automatically.
When you clone a domain controller you perform
global catalog server
When you promote a server to a domain controller, you have the option of making the domain controller a ___ If you decline to do so, however, you can still make any domain controller a global catalog server
global catalog
You can make all your domain controllers ___ servers, if you want. The searches will be load balanced, and the replication traffic likely will not overwhelm the network. However, other applications may require a global catalog, such as Microsoft Exchange
Dsadd.exe program
You can write a batch file to create objects in AD DS by following standard batch file rules and calling the ___ You can also use ___ to create, delete, view, and modify Active Directory objects, including users, groups, and OUs
Domain local groups
assign permissions to resources in the same domain as the domain local group. Domain local groups can make permission assignment and maintenance easier to manage
Batch files
commonly used files that can be written by using any text editor
global groups
grant or deny permissions to any resource located within the same domain directly or in in any domain in the forest by adding the global group as a member of a domain local group that has the desired permissions member-ships are replicated only to domain controllers within the same domain. Users with common resource needs should be members of a global group, to facilitate the assignment of per-missions to resources. You can change the membership of the global group as frequently as necessary to provide users with the necessary resource permissions.
serves little purpose other than universal group searches
if your network consists of a single domain, with domain controllers all located at the same site and well connected, the global catalog
critical
if your network consists of multiple domains with domain controllers located at multiple sites connected by WAN links, the global catalog configuration is
Universal groups
like global groups, can organize users according to their resource access needs. You can use them to provide access to resources located in any domain in the forest
adding a domain controller to an existing domain
must configure the computer to use the DNS server that hosts the existing forest or domain, at least during the Active Directory installation. After the installation, you will still need DNS, but you can use the server's own DNS
organizational unit
only the Domain Controllers is an
CSVDE.exe
plaintext file that consists of records saves database information in a uni-versally understandable way command-line utility enables you to import or export Active Directory objects based on a header record, which identifies the attribute contained in each comma-delimited field. The header record is the first line of the text file that uses proper attribute names. To import into AD DS, the attribute names in the CSV file must match the attributes allowed by the Active Directory schema
Organizational units
preferred method of subdividing a domain and the domain administrator must create all other OUs. not considered security principals
1.Grant the source virtualized domain controller the permission to be cloned by adding the source virtualized domain controller to the Cloneable Domain Controllers group. 2.Run the Get‐ADDCCloningExcludedApplicationList cmdlet in PowerShell to determine which services and applications on the domain controller are not compatible with the cloning. 3.Run New‐ADDCCloneConfigFile to create the clone configuration file, which is stored in C:\Windows\NTDS. 4.In Hyper‐V, export and then import the virtual machine of the source domain controller.
primary steps to deploy a cloned virtualized domain controller
LDIFDE.exe
same basic functionality as CSVDE.exe and provides the capability to modify existing records in Active Directory more flexible option modify or delete the objects later, whereas CSVDE.exe does not provide this option
Computer accounts
stored in the Active Directory hier-archy just as user objects are, and they possess many of the same capabilities, such as the following:Computer objects consist of properties that specify the computer's name, where it is located, and who is permitted to manage it. •Computer objects inherit Group Policy settings from container objects, such as domains, sites, and organizational units. •Computer objects can be members of groups and inherit permissions from group objects
global catalogs
stores a full copy of all objects in the domain also has a partial copy of all objects for all other domains in the forest. The partial copy of all objects is used for logon, object searches, and universal group membership s created automatically on the first domain controller in the forest. Optionally, other domain controllers can be configured to serve as ___. As noted earlier, the ___ is an index of all AD DS objects in a forest that prevents systems from having to perform searches among multiple domain controllers
global catalog server
stores enough information to quickly find users across multiple domains. It also contains information about the user to permit or deny the logon request, such as time restrictions or workstation restrictions
Windows Server 2003
universal group membership replication was introduced, which significantly decreased the amount of replication traffic of universal groups
global catalog
used to resolve the UPN name to a user name
Placing a global catalog server at each site is recommended in this case. The initial replication might generate a lot of traffic, but the savings in the long run should be significant
you do not want users performing AD DS searches that must reach across slow, expensive WAN links to contact domain controllers at other sites
operations master roles guidelines
•Place the domain‐level roles on high‐performance domain controllers. •Do not place the Infrastructure Master on a global catalog server unless you have only one domain or all the domain controllers in your forest are also global catalogs •The Schema Master and Domain Naming Master should be on domain controllers in the forest root domain. •If the Primary Domain Controller (PDC) Emulator becomes overworked, you should offload non-AD DS roles to other servers, upgrade the PDC Emulator, or move the PDC Emulator to a more powerful computer.
global states of an FRS to DFSR upgrade
•Start (State 0): Live AD DS SYSVOL replication between domain controllers is per-formed using FRS. DFSR is not being performed. FRS replication occurs with the SYSVOL folder. •Prepared (State 1): Live AD DS SYSVOL replication between domain controllers is performed using FRS. A separate, behind‐the‐scenes SYSVOL replication using DFSR is performed on the domain controllers in parallel with the live replication. FRS replica-tion occurs with the SYSVOL folder. DSFR occurs with the SYSVOL_DFSR folder. •Redirected (State 2): Live AD DS SYSVOL replication between domain controllers is performed using DFSR. A separate, behind‐the‐scenes SYSVOL replication using FRS is performed on the domain controllers in parallel with the live replication. DFSR occurs with the SYSVOL_DFSR folder. FRS replication occurs with the SYSVOL folder. •Eliminated (State 3): All Live AD DS SYSVOL replication between domain controllers is performed using DFSR. FRS SYSVOL replication is removed, including the SYSVOL folder and its contents, if it was not open during the elimination operation. DFSR occurs with the SYSVOL_DFSR folder.
Domain local groups
•User accounts •Computer accounts •Global groups from any domain in the forest •Universal groups •Domain local groups from the same domain
Universal groups
•User accounts from any domain in the forest and any trusted domain •Computer accounts from any domain in the forest and any trusted domain •Global groups from any domain in the forest •Other universal groups
global groups
•User accounts from the same domain as the global group •Computer accounts from the same domain as the global group •Other global groups from the same domain